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1. INTRODUCTION 

A mobile ad hoc network (MANET) is a self-organizing group, self-connected of mobile nodes 
without using central administration and fixed infrastructure. When a node wants to create a connection with 
another node outside of its communication range, its node’s neighbors collaborate with it and transmit the 
messages. Therefore, the nodes of MANETs behave as a router as well as a host. The network’s topology is 
temporary and constantly changing. Added to that, nodes can leave the network and new ones can join it. 
MANETs have a number of advantages over classical networks, in that they can straightforwardly be 
implement and disassemble, as well as the flexibility provided by the fact that the nodes are not attached. 

MANET’s applications are in continuous development and cover a variety of areas, like vehicular 
ad-hoc network (VANET) [1] in smart road traffic [2], smart cities and smart home, in general smart 
environment [3]. Furthermore, flay ad hoc network (FANET) in smart air traffic [4]. Besides being operable 
as a stand-alone network, ad hoc networks can also be attached to the Internet [5], such as the paradigm of 
internet of things (IoT) [6] and internet of vehicle (IoV) [7]. 

Intrusion detection system (IDS) is the mechanism used by the network’s nodes for monitoring and 
analyzing the network traffics, for which of these last represent a breach of security policy and standards, 
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thus report any illegal or malicious activity [8]. Based on the detection methodologies used, the IDS are 
divided into four categories [9], [10]: 

—  ABID: Anomaly-based or behavior-based intrusion detection. 

—  KBID: Knowledge-based, also known as Misuse or Signature intrusion detection. 

—  SBID: Specification-based intrusion detection. 

— Hybrid or compound IDS, it is a combination and fusion of the different precedent detection techniques. 

This work represents a continuation of our previous ones, where we studied the attacks in MANETs 
[11], and an extension and improvement of [12] and [13]. In this paper, we present a deep neural network 
IDS (DNN-IDS) for MANETs against both Distributed UDP/data and SYN flooding attacks. The presented 
models exhibit good results, according to the result of our experiments. 

The paper’s organization is: section 2 presents some related works. The description of the proposed 
work is presented in section 3, with definition of the context of this work, the grid search to develop an 
adequate DNN model, the utilized dataset, plus the selected features. Section 4 discusses the experimental 
results obtained. At the end, we closed this work by a conclusion. 


2. RELATED WORKS 

This section is considerate to present a works, which they have employed deep learning approach in 
IDS for MANETs and they derivate like VANETs. In the paper [14], the authors propose a protection 
mechanism based on the artificial neural network algorithm together with the swarm-based artificial bee 
colony optimization technique, against blackhole and grayhole attacks for MANETs using Ad hoc On- 
demand Distance Vector (AODV) protocol. In [15], Feng et al. suggest an IDS installed in plug and play 
device to detect denial of service (DoS), XSS and SQL attacks for ad hoc network on using deep learning 
model. The author uses KDD99 dataset plus the XSS and SQL attack sample collected from waf log. In the 
work [16], Zeng et al. present a deep learning IDS to detect blackhole, wormhole, sybil and distributed denial 
of service (DDoS) attacks in VANETs. In experimental phase, they use ISCX 2012 IDS dataset [17] and 
simulated dataset on using ns-3 simulator [18]. Sowah et al. [19] advance an artificial neural network IDS to 
detect the man-in-the-middle (MITM) attack and identify the malicious nodes for MANETs using AODV 
protocol. The paper use dataset generated by ns-2 simulator to describe the performance of developed IDS. In 
the work [20], Alheeti and McDonald-Maier develop an intelligent hybrid IDS by combining knowledge and 
anomaly detection methods for VANETs. The IDS is based on proportional overlapping scores method 
(POS), multilayer perceptron (MLP) and fuzzy system to detect DoS attack. The authors use the Kyoto 
dataset for the performance tests. In this paper [21], Vimala et al. combine neural network algorithm, support 
vector machine and fuzzy system in their proposed IDS for MANETs. For the test phase, the authors use the 
KDD99 dataset. In the anterior works [12] and [13], we proposed two IDSs for MANETs, one to detect UDP 
flooding attack and the other to detect SYN flooding attack, on using DNN. The CICDDoS2019 dataset is 
used to test the proposed IDS. 


3. WORK DESCRIPTION 
3.1. Context of proposed work 

UDP or data flooding attack as her name defines it when the attackers nodes inject in MANETs a 
great volume of nugatory UDP packets, is also a type of DDoS attacks. As a result, the unnecessary packets 
overload the network and decrease its bandwidth. Besides, consume the battery of intermediate nodes [11]. In 
the previous works [22] and [12], where we used the ns-3 platform [23] to study the MANET’s reaction with 
AODV [24] and OLSR [25] protocols when a data flooding malicious nodes exist in network, the results 
showed that the network’s normalized routing load (NRL) increases and the network’s packet delivery ration 
PDR decreases by a significant values. Another type of DDoS and flooding attack that MANETs suffer from 
is SYN flooding attack, this attack works by making use of the TCP connection’s three-way handshake 
process [11]. 

Among the solutions to detect these types of attacks, there is the method of Knowledge-based 
intrusion detection systems (KBIDS). The Figure 1 describe the architecture of KBIDS: the IDS save a 
knowledge or an internal database that contains signatures or patterns of already known threats and looks if 
any user’s activity matches with stored patterns/signatures, then an alarm will trigger. In knowledge-based 
intrusion detection (KBID) mechanism, an event is proclaimed as non-intrusive or acceptable, if is not 
formally acknowledged as a threat based on existing internal database. However, if an event that has reduced 
network performance is detected as an unknown attack because it does not match the saving rules, the IDS 
add a new rule to the existing knowledge database. 
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Figure 1. Knowledge-based intrusion detection (KBID) [26] 


3.2. CICDDoS2019 dataset 

The CICDDoS2019 Dataset has been defined in [27], has 80 network traffic features collected from 
principal component analysis of proteomics (PCAP) files by the CICFlowMeter software, which is freely 
available on the Canadian Institute for Cybersecurity website [28]. The dataset contains 12 types of DDoS 
attack, each attack is delivered in his specific file. In our case, we use file of UDP and SYN attack. In the 
precedent work [11], we studied the existed attacks that suffer from MANETs, and we find UDP and SYN 
flooding attack are a part of them. For the other attacks presented in this dataset are not considered for 
MANETs, due to use applications and the nature of all system MANETs. 


3.3. Proposed methodology 

To insure the scalability of our proposed IDS, we use a Standalone-based scheme in MANETs and 
nodes share detection results with their neighbors, with a privacy process [29] to secure the network 
transactions between them. Because we are concentrating on intrusion detection, the intricacies of these 
processes are outside the scope of this paper. Table | presents the grid search of network structure and hyper- 
parameters used to develop an optimal neural network topology. In our proposed solution for detecting UDP 
and SYN flooding attacks in MANETs, we have selected 11 features to use in the proposed DNN model, 
where Table 2 presents their definitions. The step involved in the DNN-IDS is shown in Figure 2. 


Table 1. Hyper-parameters configured for grid search 


Hyper-parameter Values 
Number of layers 3,4 
Number of nodes 37-75 
Weight initialization | random_normal; he_uniform 
Optimization rmspop 
Loss function categorical_crossentropy 
Learning rate 0.01; 0.001; 0.0001 


Table 2. Features used in the proposed DNN model 


Feature Description 
ACK Flag Count Number of packets with ACK 
Init Win bytes forward The total number of bytes sent in initial window in the forward direction 
min seg size forward Minimum segment size observed in the forward direction 
Fwd IAT Total Packets flow inter arrival total time. 
Flow Duration Length of connection in seconds 
Destination port Port receiving packets 
Protocol Type of the protocol used 
Fwd IAT Min Packets flow inter arrival time Min. 
Fwd IAT Max Packets flow inter arrival time Max. 
Packet Length Std Standard deviation of the packet length 
Fwd Packet Length Std Standard deviation of a packet in the forward direction 


3.4. Statistical measures 

To select the best and adequate DNN model, we use accuracy, recall, Fl-score, and precision as 
performance metrics. In the mathematical equation shown (1)-(4), the true positive (TP) and the true negative 
(TN) define the number of samples that were correctly classified as Benign and Attack class respectively. 
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The false positive (FP) and the false negative (FN) are the number of Benign and Attack samples 
respectively, that have been incorrectly identified as Attack samples. 


TP +TN 


ACCULACY = Fan app a 4 
Precision = —~ . 
TP+FP 
Recall = —"— 5 
TP+FN 
F1 —Score = 2 X Precision x Recall 7 


Precision + Recall 
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Figure 2. Block diagram of proposed DNN-IDS 


4. EXPERIMENTAL RESULTS AND DISCUSSION 

In our experiment, we combined the different possibilities of hyper-parameters values presented in 
Table 1, in order to obtain the best optimal results and suitable for the case of MANETs, and we constructed 
the training set and testing set from CICDDoS2019 dataset according to the paper. Table 3 describe in detail 
the training and testing sets. In Table 4, we present the different configuration of DNN architecture, who 
gave us the results presented in Figures 3 to 7. We remark that we executed the DNN a maximum of 4 layers 
and between 37 and 75 of total hidden nodes. This choice is made by taking into consideration the weak 
points of MANET’s nodes (power limitation, limiting memory and calculation consumption); The learning 
rate parameter is fixed in 0.001 value, because in the test phase other value do not give us a good result. 
Briefly, in this table, we present the configuration of the promoting DNN models. 


Table 3. Different classifications in the training and testing sets 
Class __ Number of training samples _ Number of testing samples 


Benign 37 947 3 526 
SYN 4284751 1582289 
UDP 3134645 3754680 


The experimental results are presented in Figures 3 to 7. In terms of accuracy as shown in Figure 3, 
the Model 3 by 99.94% outperforms Model 5, Model 7, and Model 8 by 0.19%, 1.34% and 0.02% 
respectively. For the precision as shown in Figure 4, the Model 8 by 99% outperforms Model 3 by 1% and 
other models by 32%. Recall as shown in Figure 5 of the Model 11 by 97% outperforms Model 6 and Model 
2 by 1%, Model 2 and Model 4 by 2%, Model 7 and Model 9 by 3%, Model 12 by 5%, Model 1 and Model 
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10 by 7%, Model 5 by 16%, Model 3 by 17% and Model 8 by 29%. Fl-score as shown in Figure 7 of the 
Model 3 by 84% outperforms Model 5 by 11%, Model 8 by 14%, Model 7 by 15%, Model 11 by 16%, 
Model 9 by 17%, Model 2, Model 4, Model 6, and Model 12 by 18%, and Model 1 by 20%. In terms of Loss 
as shown in Figure 6, we remark the best performance are those of Model 3, Model 5, and Model 8. The 
Model 8 by 1.2% outperforms Model 5 (Loss = 1.3%) by 0.1%, Model 3 (Loss = 2.6%) by 1.4%. 

On analyzing the confusion matrix of the Model 3 presented in Table 5, and by making a 
comparison of all the parameters, we find the Model 3 (yellow row in Table 4) has the best results: with a 
lead of +0.19% of the Model 8 which is the most efficient of the other models in term of accuracy. A 
difference of 1% of the best result (Model 8) in term of precision, and with a lead of +0.11% of the Model 5 
which is the most efficient of the other models in term of Fl-score. For the Loss scalar, there is a difference 
of 1.4% of the best results offered by Model 8. Taking into consideration the use cases of the MANETs, we 
choose the model who has the minimum number of layers and hidden nodes, because more nodes imply 
power and calculation consumption. 


Table 4. DNN models 


Layers Nodes Weight initialization _ Learning rate 


Model 1 3 BY random_normal 0.001 
Model 2 3 39 random_normal 0.001 
Model 3 3 39 he_uniform 0.001 
Model 4 3 40 random_normal 0.001 
Model 5 3 42 he_uniform 0.001 
Model 6 3 48 he_uniform 0.001 
Model 7 3 48 random_normal 0.001 
Model 8 3 53 he_uniform 0.001 
Model 9 3 55 he_uniform 0.001 
Model 10 4 §2 random_normal 0.001 
Model 11 4 71 random_normal 0.001 
Model 12 4 75 trandom_normal 0.001 


Table 5. Confusion matrix of Model 3 


Benign SYN UDP 
Benign 1304 408 1814 
SYN 88 3754503 89 
UDP 1 553 1581735 
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Figure 3. Accuracy results of DNN models 
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Figure 5. Recall results of DNN models 
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Figure 6. Loss results of DNN models 
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Figure 7. Fl-score results of DNN models 


CONCLUSION 
In this paper, we have applied DNN algorithm in KBID to detect two of important members of the 


several DDoS attack categories: data/UDP flooding and SYN flooding attacks in MANETs. Our model was 
trained and evaluated with CICDDo0S2019 dataset, it is purely dedicated to DDoS attacks, with a large 
number of transaction network records. According to the environment of MANETs, the obtained results with 
DNN of maximum three deep hidden layers with 39 hidden nodes, learning rate 0.001 and he_uniform 
function for Weight initialization, are so promoting. As a perspective, we will continue this research by 
upgrading the proposed IDS to identify other attacks in MANETs using a deep learning method and find a 
solution to solve the problem of detection of zero-day attacks. 
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